Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/05/2024, 14:51

General

  • Target

    e33a087df867e08ef26ac3b2f81f2910_NEIKI.exe

  • Size

    85KB

  • MD5

    e33a087df867e08ef26ac3b2f81f2910

  • SHA1

    9dbcb01012c385806af206e029a5348b2db55f8a

  • SHA256

    7888c7dea7ba6e2b5d8ef53347c571d886f0a9d976f9f48ba934ac036c7291a6

  • SHA512

    7afd0a9362e0f3fd3342e22d3f13decd5ed6309768a486e104ea41f6809e4f6fc925fdd3548db4b270419deb40b8b0ec437580ad9be23ee74bcc53aa51dce641

  • SSDEEP

    768:4a4r+PpHfXGLOFCk6SLARI+WEkFfsEjUPIOuJI5R7xuMAnXMcMaJIWmS2zIzV9xl:sr+Fum5LMI+WTJjcsnXMcpm/zOxJXKJs

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 6 IoCs
  • Manipulates Digital Signatures 1 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops desktop.ini file(s) 24 IoCs
  • Drops autorun.inf file 1 TTPs 25 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e33a087df867e08ef26ac3b2f81f2910_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\e33a087df867e08ef26ac3b2f81f2910_NEIKI.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Modifies registry class
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Executes dropped EXE
      • Drops autorun.inf file
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4148
      • C:\Windows\AE 0124 BE.exe
        "C:\Windows\AE 0124 BE.exe"
        3⤵
        • Manipulates Digital Signatures
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops desktop.ini file(s)
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3088
        • C:\Windows\SysWOW64\drivers\winlogon.exe
          "C:\Windows\System32\drivers\winlogon.exe"
          4⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:1764
      • C:\Windows\SysWOW64\drivers\winlogon.exe
        "C:\Windows\System32\drivers\winlogon.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:1052
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3100

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Msvbvm60.dll

      Filesize

      1.4MB

      MD5

      25f62c02619174b35851b0e0455b3d94

      SHA1

      4e8ee85157f1769f6e3f61c0acbe59072209da71

      SHA256

      898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

      SHA512

      f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

    • C:\Windows\SysWOW64\drivers\winlogon.exe

      Filesize

      130KB

      MD5

      b546cdcea3b9871b5c8c9fde3794896f

      SHA1

      cb3dafe0b8e6c7231b2a81f363e52bf14d38d4e0

      SHA256

      c09eba76d404a200d4db263c0cfb9ee5d5fa39cbc343842e974644d30f6e5bea

      SHA512

      ed7ff7e41cb63ba0ac7e13901f223e81ba46e2d3553ded793825b08972ff42bfabf1c41a3e1ebec11252726344bb563a2f2e18eae253bd4b45201a6c8617b30b

    • \??\c:\B1uv3nth3x1.diz

      Filesize

      21B

      MD5

      9cceaa243c5d161e1ce41c7dad1903dd

      SHA1

      e3da72675df53fffa781d4377d1d62116eafb35b

      SHA256

      814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

      SHA512

      af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b